ClientModule
ClientModule is available only in combination with the WmiExecution and WmiQuery operations, which have a client process. A client process is a process that actually executed a WMI method.
Property |
Type |
Description |
Example |
|---|---|---|---|
AugurScore |
Int |
The score number by ESET machine-learning engine. Possible values are 0 to 99 |
67 |
CompanyName |
String |
From version info, name of the company that produced the file |
"Microsoft Corporation" |
DaysSinceLastNearMiss |
Int |
Number of days since the file was recognized as nearmiss. Nearmiss—the detection is triggered due to malware, but it may be a false positive (we cannot guarantee it is malware) |
|
EmulationStatus |
Int |
The status of the file emulation (if the file was emulated by advanced heuristics) |
0—Was not emulated 1—Was emulated |
FileDescription |
String |
From version info, file description shown to users |
"Microsoft Windows Resource Leak Diagnostic" |
FileOrigin |
File delivered through RDP |
Possible values are: 0—RDP |
|
FileSize |
Int |
Filesize in bytes |
41984 |
FileVersion |
String |
From version info, the version number of the file |
"10.0.14393.0" |
InternalName |
String |
From version info, internal name of the file |
"RdrLeakDiag.exe" |
IsDLL |
Bool |
The file is a PE DLLs |
true/false |
IsElf |
Bool |
The file is an ELF file |
true/false |
IsExe |
Bool |
The file is an executable |
true/false |
IsMacho |
Bool |
Defines whether a file is a Mach-O (macOS) file or not |
true/false |
IsNative |
Bool |
The file is a native PE executable |
true/false |
isPe |
Bool |
The file is a Windows executable |
true/false |
MD5 |
Hash |
md5 hash of the executable |
|
MachoIsProtected |
Bool |
Module is a protected Mach-O executable |
|
MachoSignatureId |
String |
Identifier of a Mach-O file present in the signature |
"com.apple.ls" |
MachoSignerCns |
Set of strings |
Set of common names from certificates in Mach-O file |
|
MachoUserId |
String |
Unique developer ID assigned by Apple |
|
OriginalFileName |
String |
From version info, original name of the file |
"RdrLeakDiag.exe" |
PackerName1 |
String |
Name of the packer |
"UPX" |
ProductName |
String |
From version info, name of the product with which the file is distributed |
"Microsoft Windows Operating System" |
ProductVersion |
String |
From version info, the version number of the product with which the file is distributed |
"10.0.14393" |
SFXName |
String |
Name of the sfx packer |
"Zip" |
Sha1 |
Hash |
sha1 hash of the executable |
fa7ebffd41bc44c47ea1b11928ee368c19f6d6a2 |
Sha256 |
Hash |
sha256 hash of the executable |
|
SignatureType |
Signature type of the executable |
Possible values are: •90—Trusted—The signature is trusted by Endpoint •80—Valid—The signature is trusted by the OS •75—Adhoc—The certificate is self signed •70—None—There is no signature in the file •60—Invalid—The signature is not valid/corrupted/revoked •50—Present—The signature is present, but the certificate status is unknown •50—Unknown—Failed to verify certificate |
|
SignerName |
String |
Name of the signer, if any |
"Microsoft Windows" |
Tags |
String |
Allows a user to filter by a module that has a specified tag attached |
|
Whitelist |
Whitelist type of the executable |
Possible values are: •0—None—No whitelisting for this file •1—Authoritative—The file is whitelisted by Endpoint •2—LiveGrid—The file is whitelisted from LiveGrid •3—Certificate—The file certificate is whitelisted |
|
1Names of packers may change in the future. Therefore we recommend using isnotempty or isempty value for the condition. |
Conditions supported for set types (Set of IPv4 addresses, Set of IPv6 addresses, Set of strings, Set of symbols) are listed in the Property types & Relations table under set of values.
Supported operations
•WmiExecution
•WmiQuery